Tagged Questions

Padding has two primary uses in cryptography, ensuring messages are the proper length necessary for certain ciphers (e.g., block ciphers) or to provide assurances not built into the core cipher (e.g., semantic security)

I'm trying to understand the SSL Poodle Attack and I'm wondering why the last block of a CBC Record can be full of padding? Wouldn't that mean that the useful data was already a multiple of the key ...

I've read everywhere online and people say plain text RSA is very unsafe. To make it safe you pad it but no examples are shown anywhere on how to do it. It's explained that random data is added to the ...

I have a bit problem with padding. Everything goes fine when I encrypt the text BUT when I decrypt I see some extra characters. Sometime's one character sometimes more and I dont know how to remove ...

I've got an API spec that specifies NRPAD and FPAD as possible padding schemes. I see these being used together with the Korean SEED algorithm. The SEED specification however is void of any padding ...

Whenever a ciphertext is decrypted using a block-cypher, we need to remove the padding. There are different ways to add padding, but they usually set the last byte of the last block to the number of ...

Padding oracle attacks are a huge nuisance when using CBC mode encryption without authentication. Wouldn't all those padding oracle attacks be avoided if we'd just use bit padding instead? Or is does ...

I am very new to cryptography so I don’t know much about it. I have been given a very large $N$ value and $E$ value to decrypt a ciphertext which was created using a AES 128 key and a IV by using RSA ...

I've read several texts which say that if the entire plaintext is a multiple of the block-size padding is not required (and not using padding would not mean a loss of security).
I generally disagree ...

As everybody knows in order to calculate HMAC we have to concatenate padding to the message. I am just curious why the padding needs to be fixed-length. Why do we need the blocksize parameter here?
...

Apparently current best practices recommend that you do not compress before you encrypt.
For example in this blog entry (*):
http://sockpuppet.org/blog/2013/07/22/applied-practical-cryptography/
It ...

Assume that I have an plaintext $m$ and it is padded with $randompad||00||m$ and then it is encrypted with RSA and a public encryption key so we get the encrypted $Sm$.
Then to assure its integrity ...

One thing I was surprised to learn about AES is that random padding can be added to the message to make it a multiple of block size. What I can not wrap my head around is how this random padding can ...

According to this document the padded message has the following structure:
$EM \;= \; 0x00 \; || \; 0x02 \; || \; PS \; || \; 0x00 \; || \; M$
What is the purpose of this null byte at the beginning ...

I started to implement some MAC since last week with the specifications given here. I'm currently testing the OMAC (one-key CBC) with test vectors. In the OMAC specifications at page 4, they explain ...

As said in the heading, I want to know how the security of different padding methods, e.g. ANSI X.923, ISO 10126 and PKCS7, is compared to other methods to reach the needed block size, like ciphertext ...

Is CBC with Ciphertext Stealing (CTS) considerably weaker than CBC with padding such as PKCS7?
I would imagine the most common situation where CTS is necessary would be due to some size constraint of ...

If I am not mistaken, plaintext RSA is not secure. So, I have read that padding and hashing is needed to make the RSA algorithm secure. However, I am confused on what does padding or armoring mean in ...

I'm playing around with an application for secure email-like communication and I want to perform length hiding padding on the plaintext messages so they always have a consistent size before encrypting ...

I would like to be able to encrypt the output of RSA with RSA again without having the output grow in size over time.
In other words, I have some data $D_0$ which I want to encrypt with RSA: $D_1 = ...